Data Protection Principles in Hong Kong
Data hk provides news and analysis on issues relevant to Hong Kong. Their content is both educational and approachable – making Data hk an indispensable platform for encouraging innovation, economic growth and international competitiveness.
Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”) serves as the cornerstone of its comprehensive data protection framework. PDPO establishes an authoritative regulatory base to uphold individual rights to privacy with regards to personal information and creates stringent obligations on data users.
Under the PDPO, data must be collected lawfully and relevantly for its intended use. Furthermore, PCPD requires data users to inform subject individuals of all purposes for which their personal data will be used and any categories of persons to whom it may be transferred – this obligation does not pertain exclusively to marketing or direct advertising campaigns involving personal data; rather it applies across all uses.
Under the PDPO, “personal data” refers to any information that identifies an identifiable natural person. This definition aligns with other legislative regimes such as China’s Personal Information Protection Act and Europe’s General Data Protection Regulation as well as international norms about what constitutes personal information.
Noteworthy is the PDPO’s exclusion of extraterritorial application. While many other data privacy regimes include some element of extra-territorial application, this legislation makes clear its jurisdictional determination is determined by whether or not a data user controls all or part of the collection, holding, processing and use of personal data from Hong Kong – this definition encompasses controllers as well as processors.
If a data user wishes to transfer personal data outside Hong Kong, they must conduct a transfer impact assessment that considers both legal environments and practices of each jurisdiction wherein their data will be transferred as well as whether adequate protections exist under PDPO.
If data users fail to conduct transfer impact analyses as required under the PDPO, penalties of up to HK$1 million and five years imprisonment apply. Furthermore, PCPD can independently investigate complaints against data users and take enforcement actions against them as appropriate. Under this Act, organizations of any size or industry are subject to prosecution by law enforcement for violations. As such, it is vitally important that organizations adhere to this PDPO in order to avoid costly fines and operate within legal boundaries. Tanner De Witt’s Padraig Walsh provides an in-depth summary of the Personal Data Protection Ordinance’s key provisions, obligations, individual rights and data transfer restrictions – a must-read for anyone involved in Hong Kong data processing activities.